Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - TechDays Belgium 2013

2,393 views

Published on

API’s are the new apps. They can be consumed by everyone using a web browser or a mobile application on their smartphone or tablet. How would you build your API if you want these apps to be a full-fledged front-end to your service without compromising security? In this session, Maarten will explain how to build an API using the ASP.NET Web API framework and how the Windows Azure Access Control service can be used to almost completely outsource all security and OAuth-related tasks.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control - TechDays Belgium 2013

  1. 1. Who am I?Maarten BalliauwTechnical Evangelist, JetBrainsMyGet.orgAZUGFocus on web ASP.NET MVC, Windows Azure, SignalR, ... MVP Windows Azure & ASPInsiderBuy me a beer! http://amzn.to/pronugethttp://blog.maartenballiauw.be Shameless self promotion: Pro NuGet -@maartenballiauw http://amzn.to/pronuget
  2. 2. AgendaWhy would I need an API?API characteristicsASP.NET MVC Web APIWindows Azure ACS
  3. 3. Why would I need an API?
  4. 4. Consuming the web2000-2008: Desktop browser2008-2012: Mobile browser2008-2012: iPhone and Android apps2010-2014: Tablets, tablets, tablets2014-2016: Your fridge (Internet of Things)
  5. 5. Twitter & FacebookBy show of hands
  6. 6. Make everyone API(as the French say)
  7. 7. Expose services to 3rd partiesValuableFlexibleManagedSupportedHave a plan
  8. 8. Reach More Clients
  9. 9. You’re not the only one Source: http://blog.programmableweb.com/2012/04/16/open-apis-have-become-an-essential-piece-to-the-startup-model/
  10. 10. API Characteristics
  11. 11. What is an API?Software-to-Software interfaceContract between software and developers Functionalities, constraints (technical / legal) Programming instructions and standardsOpen services to other software developers (public or private)
  12. 12. FlavoursTransport Message contract HTTP  SOAP Sockets  XML  Binary  JSON  HTML  …
  13. 13. Technical Most API’s use HTTP and REST extensively  Addressing  HTTP Verbs  Media types  HTTP status codes  Hypermedia (*)
  14. 14. Demo
  15. 15. HTTP VerbsGET – return dataHEAD – check if the data existsPOST – create or update dataPUT – put dataMERGE – merge values with existing dataDELETE – delete data
  16. 16. Status codes200 OK – Everything is OK, your expected data is in the response.401 Unauthorized – You either have to log in or you are not allowed toaccess the resource.404 Not Found – The resource could not be found.500 Internal Server Error – The server failed processing your request.…
  17. 17. Think RFC2324!
  18. 18. ASP.NET Web API
  19. 19. ASP.NET Web APIPart of ASP.NET MVC 4Framework to build HTTP Services (REST)Solid features Modern HTTP programming model Content negotiation (e.g. xml, json, ...) Query composition (OData query support) Model binding and validation (conversion to .NET objects) Routes Filters (e.g. Validation, exception handling, ...) And more!
  20. 20. ASP.NET Web API is easy!HTTP Verb = action“Content-type” header = data format in“Accept” header = data format outReturn meaningful status code
  21. 21. Demo
  22. 22. Securing your APINo authenticationBasic/Windows authentication[Authorize] attribute
  23. 23. Demo
  24. 24. The world of API clients is complex CLIENTS AUTHN + AUTHZ HTML5+JS Username/password? SPA Basic auth? Native apps NTLM / Kerberos? Server-to-server Client certificate? Shared secret?
  25. 25. A lot of public API’s… “your API consumer isn’t really your user, but an application acting on behalf of a user” (or: API consumer != user)
  26. 26. OAuth2
  27. 27. TechDays badges “I received a ticket with a Barcode I can hand to the Reception which gives me a Badge stating Microsoft gives Me access to Kinepolis as a Speaker on 5-7 March”
  28. 28. TechDays badges +--------+ +---------------+ | |--(A)– Register for TechDays-->| Resource | | | | Owner | | |<-(B)-Sure! Here’s an e-ticket-| Microsoft | | | +---------------+ | | . | | +---------------+ | Client |--(C)----- Was invited! ------>| Authorization | | Me | | Server | | |<-(D)---- Here’s a badge! -----| Reception | | | (5-7 March;speaker) +---------------+ | | . | | +---------------+ | |--(E)------ Show badge ------->| Resource | | | | Server | | |<-(F)-- Enter speakers room ---| Kinepolis | +--------+ +---------------+ Next year, I will have to refresh my badge
  29. 29. TechDays badges “I received a ticket with a Barcode I can hand to the Reception which gives me aBadge stating Microsoft gives Me access to Kinepolis as a Speaker on 5-7 March” Me = ClientDelegation Barcode = Access Code Reception = Authorization Server Microsoft = Resource Owner Kinepolis = Resource Server Badge = Access Token Speaker = Scope 5-7 March = Token Lifetime
  30. 30. OAuth2 +--------+ +---------------+ | |--(A)- Authorization Request ->| Resource | | | | Owner | | |<-(B)-- Authorization Grant ---| | | | +---------------+ | | . | | +---------------+ | |--(C)-- Authorization Grant -->| Authorization | | Client | | Server | | |<-(D)----- Access Token -------| | | | +---------------+ | | . | | +---------------+ | |--(E)----- Access Token ------>| Resource | | | | Server | | |<-(F)--- Protected Resource ---| | +--------+ +---------------+ Figure 1: Abstract Protocol Flow http://tools.ietf.org/html/draft-ietf-oauth-v2-31
  31. 31. Demo
  32. 32. Quick side note…There are 3 major authentication flowsBased on type of clientVariants possible
  33. 33. OAuth2 – Initial flow
  34. 34. OAuth2 – “Refresh” (one of those variants)
  35. 35. Access tokens / Refresh tokensIn theory: whatever format you wantWidely used: JWT (“JSON Web Token”)Less widely used: SWT (“Simple Web Token”)Signed / Encrypted
  36. 36. JWTHeader:{"alg":"none"}Token:{"iss":"joe", "exp":1300819380, "http://some.ns/read":true}
  37. 37. Is OAuth2 different from OpenID?Yes.OpenID = authNOAuth2 = authN (optional) + authZhttp://softwareas.com/oauth-openid-youre-barking-up-the-wrong-tree-if-you-think-theyre-the-same-thinghttp://blogs.msdn.com/b/vbertocci/archive/2013/01/02/oauth-2-0-and-sign-in.aspx
  38. 38. What you have to implementOAuth authorization serverKeep track of supported consumersKeep track of user consentOAuth token expiration & refreshOh, and your API
  39. 39. Windows AzureAccess Control Service
  40. 40. ACS - Identity in Windows AzureActive Directory federationGraph APIWeb SSOLink apps to identity providers using rulesSupport WS-Security, WS-Federation, SAMLLittle known feature: OAuth2 delegation
  41. 41. OAuth flow using ACS
  42. 42. Demo
  43. 43. OAuth2 delegation?You: OAuth authorization serverACS: Keep track of supported consumersACS: Keep track of user consentACS: OAuth token expiration & refreshYou: Your API
  44. 44. Conclusion
  45. 45. Key takeawaysAPI’s are the new appsValuableHTTPASP.NET Web APIOAuth2Windows Azure Access Control Service
  46. 46. http://blog.maartenballiauw.be @maartenballiauw http://amzn.to/pronugetThank you!

×